The following scenario is prone to a crash due to a buffer overflow:
- App (commonly a 16-bit app) displays file-open dialog in Win3.1 style.
- User double-clicks directory item in directory listbox, which is longer
than
the first item displayed in the directory listbox.
The root cause is that the DIALOG_DlgDirSelect proc incorrectly queries
for the length of the first item in the directory listbox, regardless of
the one that is actually selected by the user. The proc then allocates a
buffer based on this calculation. However, the LB_GETTEXT is sent with the
correct item to retrieve. If the selected item is long enough (much longer
than the first item in the listbox), the buffer allocated will be overrun
and a crash is almost certain.
The attached patch fixes this.
Changelog:
* Query for length of correct item in directory listbox. Fixes crash in
Win3.1-style file open dialog.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wine-user32-dialog-fix-navigation-crash.patch
Type: text/x-patch
Size: 606 bytes
Desc: not available
Url : http://www.winehq.org/pipermail/wine-patches/attachments/20070819/690fdde8/wine-user32-dialog-fix-navigation-crash.bin